1996-03-31 - Re: [NOISE] Cable-TV-Piracy-Punks

Header Data

From: “Dave Emery” <die@pig.die.com>
To: perry@piermont.com
Message Hash: 0a386d0f0a1a7ddc4ea677b277ab1cecd74d817760b5f9b73fc82e527c30df19
Message ID: <9603310537.AA20289@pig.die.com>
Reply To: <199603310021.TAA17420@jekyll.piermont.com>
UTC Datetime: 1996-03-31 11:42:45 UTC
Raw Date: Sun, 31 Mar 1996 19:42:45 +0800

Raw message

From: "Dave Emery" <die@pig.die.com>
Date: Sun, 31 Mar 1996 19:42:45 +0800
To: perry@piermont.com
Subject: Re: [NOISE] Cable-TV-Piracy-Punks
In-Reply-To: <199603310021.TAA17420@jekyll.piermont.com>
Message-ID: <9603310537.AA20289@pig.die.com>
MIME-Version: 1.0
Content-Type: text/plain

> .pm  writes:

> Why not? If the card knows its own key, then someone else can probably
> get the key out by some nasty mechanism.

	One of the earliest breaks of the Videocipher II  analog satellite
descrambler back in 1986 was based on twidling with the timing and
electrical characteristics of the chip clock on the supposedly
tamperproof TMS 7000 crypto microprocessor until it stared to misexecute
instructions.  By chance, some PROM code that allowed reading the secret
seed keys used by each individual box to decode master keying messages
addressed to it happened to be a few instructions after some other code
normally accessible by issuing commands to the chip. One kept issuing
those commands while corrupting the clock until the chip misexecuted the
branch at the end of the public code and fell into the otherwise
inaccessible code that allowed access to the seed keys. 

	So yes, this has already been done in one real case of
cryptosystem defeat.  For a while, it was the standard method of
obtaining seed keys from VC-II boards.

	Later versions of the ROM code removed that vulnerability.